OIDC Configuration from docs makes synpase crash on startup

[nhh]

Description

Trying to configure synpase from here https://matrix-org.github.io/synapse/latest/openid.html#keycloak

Steps to reproduce

• just enable the default oidc_providers
• synpase crashes

Uncommenting this, causes synapse to crash.

oidc_providers:
  # Generic example
  #
  #- idp_id: my_idp
  #  idp_name: "My OpenID provider"
  #  idp_icon: "mxc://example.com/mediaid"
  #  discover: false
  #  issuer: "https://accounts.example.com/"
  #  client_id: "provided-by-your-issuer"
  #  client_secret: "provided-by-your-issuer"
  #  client_auth_method: client_secret_post
  #  scopes: ["openid", "profile"]
  #  authorization_endpoint: "https://accounts.example.com/oauth2/auth"
  #  token_endpoint: "https://accounts.example.com/oauth2/token"
  #  userinfo_endpoint: "https://accounts.example.com/userinfo"
  #  jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
  #  skip_verification: true
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
  #      localpart_template: "{{ user.login }}"
  #      display_name_template: "{{ user.name }}"
  #      email_template: "{{ user.email }}"
  #  attribute_requirements:
  #    - attribute: userGroup
  #      value: "synapseUsers"

Error messages:

May 11 19:00:05 matrix-001 systemd[1]: Failed to start Synapse Matrix homeserver.
May 11 19:00:05 matrix-001 systemd[1]: matrix-synapse.service: Failed with result 'exit-code'.
May 11 19:00:05 matrix-001 systemd[1]: matrix-synapse.service: Main process exited, code=exited, status=1/FAILURE

Version information

• Version:
  {"server_version":"1.57.0","python_version":"3.8.10"}

• Install method:
  Ubuntu apt-get install

• Platform:
  Ubuntu

[DMRobertson]

Note that the generic example isn't going to be valid, because example.com isn't an OpenID provider.

Those error messages are from systemd. We need to see Synapse's logs. Try journalctl -u matrix-synapse -e.

[nhh]

@DMRobertson I already tried with real values.

The logs are from journalctl -u matrix-synapse -e.

It seems that this is a yaml parsing issue

[DMRobertson]

We still need to see Synapse's logs. Try looking in /var/log/matrix-synapse/homeserver.log.

[nhh]

@DMRobertson Okay, will try it after office hours today! Thanks for the pointer :)

[nhh]

I was able to figure the issue out by myself.

Failing part
GET https://our-sso-server.de/auth/realms/EXAMPLE/.well-known/openid-configuration: 404

2022-05-12 17:24:49,302 - synapse.http.client - 442 - INFO - sentinel - Received response to GET https://our-sso-server.de/auth/realms/EXAMPLE/.well-known/openid-configuration: 404
2022-05-12 17:24:49,303 - synapse.app._base - 244 - CRITICAL - sentinel - Error during startup
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 120, in load_metadata
    await p.load_metadata()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 437, in load_metadata
    return await self._provider_metadata.get()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 136, in get
    return await self._cachedcall.get()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 106, in get
    self._result.raiseException()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/python/failure.py", line 500, in raiseException
    raise self.value.with_traceback(self.tb)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/twisted/internet/defer.py", line 1660, in _inlineCallbacks
    result = current_context.run(gen.send, result)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/util/caches/cached_call.py", line 126, in _wrapper
    return await f()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 449, in _load_metadata
    metadata_response = await self._http_client.get_json(url)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 587, in get_json
    body = await self.get_raw(uri, args, headers=actual_headers)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 679, in get_raw
    raise HttpResponseException(
synapse.api.errors.HttpResponseException: 404: Not Found

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/app/_base.py", line 229, in wrapper
    await cb(*args, **kwargs)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/app/homeserver.py", line 391, in start
    await oidc.load_metadata()
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/handlers/oidc.py", line 124, in load_metadata
    raise Exception(
Exception: Error while initialising OIDC provider 'oidc-keycloak'

Remove the /auth from the keycloak url and the setup works.

Like this:

https://our-sso-server.de/realms/EXAMPLE/.well-known/openid-configuration

[DMRobertson]

Glad to hear it---thanks for following up!